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WARNING* 

LIVE WIRELESS VIRUSES 

00 NOT OPEN THE DOOR! 

F THE DOOR IS CLOSED THERE tS VIRUS TESTING 

IN 





But surely you're not serious? 



mobile phone viruses are just an urban legend. . . 
. . . they are not really spreading anywhere. . . 

...you are just hyping them... 



and stop calling me Shirley. 




Mobile viruses: this is already happening... 



More than 370 mobile phone viruses so far 

Tens of thousands of infections worldwide 

Reports about Cabir and Commwarrior from over 30 countries 

Operator with 9 million customers: almost 5% of MMS traffic infected 

Operator with 14 million customers: Over 8000 infected devices have 
sent over 450000 MMS messages. Largest number of messages sent 
by one phone: 3500. 

Operators have given money back to customers who had Commwarrior 



Prerequisites for any Malware Outbreak 



Enough functionality 

• for the malware to work 

Enough connectivity 

• for the malware to spread 

Enough target terminals 

• for the platform to become an interesting target 



Smartphone markets 



Very important differences on the markets: 



Americas 
EMEA 

APAC 
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Number of mobile malware 
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Types of mobile threats 



What we have seen so far 

• Viruses 

• Worms 

• Trojans 

• Spy tools 






What we have not seen yet 
• Rootkits 



- ""*- 



Worms that do not need user interaction for spreading 
Mobile botnets 




Large-scale profit-oriented malware (professionals) 


























Malware per Platform by Year 




Platform 

Palm 



PocketPC 

Symbian 

J2ME 



3 

2 

22 
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All 
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Mobile malware by Type 




Viruses 



58 



Trojans 



297 



S py wa re 
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What do the trojans do? 




Break the phone so that it crashes and will not boot again 

• SymbOS/Doomboot family 
Break phone services like Messaging, Web, Camera etc 

• SymbOS/Skulls family 
Cause monetary loss by sending messages 

• SymbOS/Mquito.A, Java/Red browser A 
Steal user's private information and send it out via bluetooth 

• Symb O S/Pbstealer family 
Set random password to phone memory card, making it useless 

• SymbOS/Cardblock.A 

Delete user E-Mail, SMS messages and other critical information 

• SymbOS/Cardblock.A 




F-SECURE 



V 




Infection mechanisms 



Bluetooth 
MMS 

Memory cards 
User download 



71 
23 




373 
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In-the-wild Spreading vectors 



1. Bluetooth 

2. MMS 

3. User downloads 

4. Memory cards 



Not yet: 

- Email 

-SMS 

-WLAN 

-P2P 

-IM 
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So, where are they coming from? 
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Europe 

- Norway 

- Spain 



South America 

- Brazil 

Asia 

- India 

- Malaysia 

- Indonesia 

- Philippines 

- China 
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Where in the world is the problem? 
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Variants in families 
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Data source: F-Secure 



Variants 




□ Appdisabler 

■ Blankfont 

□ Bootton 

□ Cabir 

■ Cardblock 

□ Cardtrap 

■ Cdropper 

□ Commwarrior 

■ Dampig 

□ Doomboot 

■ Drever 

□ Fontal 

■ Hobbes 

■ Lasco 

■ Locknut 

■ Mabir 

□ Mabtal 

□ Mquito 

□ Nogav 

□ Pbstealer 

□ Sendtool 

□ Singlejump 

□ Skulls 

□ Red browser 

□ Cxover 

□ Sdropper 

□ Stealwar 

□ Trojan-spy.FlexiSpy 

□ Commdropper 

□ Rommwar 

■ Romride 

□ Acallno 

■ Wesber 

□ Flerprox 

■ Feak 



How come Windows Mobile is not 

targetted more? 



Good question. 

It will be. 

Low marketshare explains a bit, but not everything 



mm 
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So, why do people get infected? 



Because of the user interface 
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Cabir is still spreading in the wild 



Cabir was found in June 2004 

First in-the-wild report from Philippines in August 2004 

Still in-the-wild in 2007 
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ecure mueiooin noneypot Prototype 



osest 14 discoverable bluetooth devices 
(currently 1 34 devices h range, total 828) 

Bluetooth Device 
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Commwarrior 



By"e10d0r" 

Symbian Series 60 virus 

First virus to spread over 
MMS messages 

Also spreads over Bluetooth 

Worst we've seen so far 

Could be really expensive 

"OTMOP03KAM HET!" 
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First mobile phone virus that tries to infect Windows PCs too 
Drops two Windows viruses to phone's memory card 
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Case Viver 



May 18th 2007: First international $M$ trojans found from a 
Symbian download site 

Three different fake applications 

When installed, they start to send expensive premium- 
rate SMS messages to an international service number 

Each SMS costs about US$7 




Bluetooth 

NetCompressor.sisO 



■& Hlnutnnth 



Install 
NetCompressor? 
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Yes 




No 
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What are the vendors doing? 



Phone manufacturers: fixing the Bluetooth user inteface issue 
Symbian: shipped Symbian 9 
Symbian Signed introduced 
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Video: Improved Bluetooth user interface 




S60 3rd Edition 
(or S60 3.0), 

Vs 

S60 3rd Edition Feature 
Packl (orS60 3.1). 
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Symbian Signed Overview 




Welcome 

Symbian Signed promotes best practice in 
designing applications to run on Symbian OS 
phones. Symbian Signed applications follow 
industry-agreed quality guidelines and 
support network operator requirements for 
signed applications. More details about 
Symbian Signed can be found here . 






! 



Ui ulei sTiiniliiuj The Signing Process 

In order to Symbian Sign your application there are a number 
of steps that need to be followed. *- More 

Synihmn Shjne<l Test Criteria 

Applications submitted to Symbian Signed will be validated 
against specific test criteria, ft More 

syinfomn Developer Netwoi h 

The Symbian Developer Network is the primary source of 
solutions for all developer requirements. ■■ More 

SYMBIAN SIGNED WEBSITE UPDATE - SITE FULLY 
FUNCTIONAL FOR REGISTERED ACCOUNTS 

The Symbian Signed web site has now been migrated, with the 
following functionality now available. 

# Applications may be submitted via the site fortesting via 

TEST HOUSES. 




Get your 
freeware 




Symbian 
Signed 







Symbian Signed launches new 

Certificate Authority. 

Fast-Track signing process 

now available 

Test Criteria fv2 .11 .01- 

Updated! 

Developer Certificate changes 



Product updates 



* A new tool to export 
TrustCenter Publisher Ids is 
available 

*■ A new version of 

"Verif vSymbianSigned" tool is 

available 

A new version of 

DevCertReguest is available 

A new version of AppTest Lite 

for Symbian OS phones. 



You *u e not logged in 




Account Settings 



Username: 
Password: 






Login 



Re 



now! Lost password? 



Symbian News 



► OMTP PRODUCT PROFILE 
PROCESS 

► FOMA™ SH903J launched today 



_ . - 



is based on Symbian OS 

► Symbian Signed launches new 
initiatives to make application 
signing faster 

* Symbian launches new book 
for Accredited Symbian 
Developer exam 

► Sling Media and Symbian 
partner to bring personal TV 
home viewing to consumers 

* Symbian welcomes the 
Samsung SGH-J520 

► LG Electronics introduces 
HSDPA Symbian smartphone 




Basic Capabilities 



LocalServices 

UserEnviornment 

NetworkServices 

Location 

ReadUserData 

WriteUserData 



Generic Symbian 
Signed Test Criteria 



Extended Capabilities 



Read Device Data 
Write Device Data 
SWEvent 
ProtSrv 
Power Mgmt 
Surround ingsDD 
Trusted U I 



Declarative 
statements and 
API declarations 



Phone Manufacturer Approved 
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DRM 

NetworkControl 

Multimedia DD 

TCB 

All Files 

CommDD 

DiskAdmin 



Licensee defined 

additional tests 

through Channel 

Certification 
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Mobile Spyware 



Mobile spying tools are applications that are 
installed into a smartphone and send 
information out from the phone 

• Typical example would be an application that 
sends all received SMS message to a third 
party without permission from the user 

Mobile spying tools might not be illegal by 
itself 

• Spyware vendors insist that their spyware must 
be used only for legal purposes 
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Targeted and untargeted spying tools 



Targeted spying tools are limited by the vendor 

• A spy must know the victim before obtaining spying tool 

• Usually limiting is done by requiring the target devices IMEI code in 
order to be able to obtain the spying software 

• So the spy needs to have access to the device twice 

• This is done by spyware authors more as a way of copy protection 
than concern on how their software is going to be used 

Untargeted spyware can be installed into any device 

• The victim of the spying tool can be picked at random 

• The spy needs to access the device only once 
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Information that can be stolen by spyware 



Text messages 

• Sender and receiver phone numbers and phonebook names 

• The content of the SMS messages (think two-factor passwords ) 

Call information 

ncoming or outgoing call and to what number 

• Time and duration of the call 

Voice recording 

• Application can record all phone calls 

• Application can also record anything that's spoken near the phone 

Physical location 

• Spyware records in which GSM cell it is and how strong the field is 
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So... what about iPhone viruses? 



- Closed platform 
-No SDK 

- Hard to program 

- No Bluetooth file transmissions 

- File system not accessible 



+ Has the userbase 
+ Lots of eager hackers 
+ First attempt from Apple 




Verdict: I'd give it a 90% chance that we'll see an iPhone virus 
Perhaps spreading via SMS or email. 



F-SECURE 



V 



34 



Oh, and one more thing... 



How well does iPhone work in Nordic Wintern conditions? 
http://www.voutube.com/fslabs 
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Feel free to try us out 



Visit: www.f-secure.mobi 



With a [Windows Mobile | Symbian] phone 
Contains an Antivirus and a Firewall. 
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And in the future? 



More for-profit malware 

Native malware for S60 3rd edition 



More Java malware 

More Windows Mobile malware 

SMS worms 

Wi-Fi worms - for Windows 

Mobile worms using exploits 
(perhaps exploiting things like 
MMS, OTA, reflashing etc) 





F-SECURE 



V 



37 



® 




Mikko Hypponen 
Chief Research Officer 
F-Secure Corporation 



www.f-secure.com 
www.hypponen.com 




